FOR408: Computer Forensic Investigations - Windows In-Depth

Master computer forensics. Learn critical investigation techniques. With today's ever-changing technologies and environments, it is inevitable that every organization will deal with cybercrime including fraud, insider threat, industrial espionage, and phishing. In addition, government agencies are now performing media exploitation to recover key intelligence kept on adversary systems. In order to help solve these cases, organizations are hiring digital forensic professionals and calling cybercrime law enforcement agents to piece together what happened in these cases.

FOR408: Computer Forensic Investigations - Windows In-Depth focuses on the critical knowledge of the Windows OS that every digital forensic analyst must know to investigate computer incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

This course covers the fundamental steps of the in-depth computer forensic and media exploitation methodology so that each student will have the complete qualifications to work as a computer forensic investigator in the field helping solve and fight crime. In addition to in-depth technical digital forensic knowledge on Windows Digital Forensics (Windows XP through Windows 7 and Server 2008) you will be exposed to well known computer forensic tools so such as Access Data's Forensic Toolkit (FTK), Guidance Software's EnCase, Registry Analyzer, FTK Imager, Prefetch Analyzer, and much more. Many of the tools covered in the course are freeware, comprising a full-featured forensic laboratory that each student can take with them.

FOR408: Computer Forensic Investigations - Windows In-Depth is the first course in the SANS Computer Forensic Curriculum. If this is your first computer forensics course with SANS we recommend that you start here.

Course Syllabus

FOR408.1: Digital Forensics Fundamentals and Evidence Acquisition

Overview

Focus: Investigations begin with a firm knowledge in proper evidence acquisition and analysis. Digital Forensics is more than just using a tool that automatically recovers data. Digital Forensics requires analytical skills. Today you will learn how the professionals accomplish digital forensics.

At the beginning, investigating a case would appear to be a daunting task. The hardest part of forensics is not recovering data, but understanding how the recovered evidence could prove a case. Starting on this day, students are familiarized with fundamental forensic topics that every investigator should know.

Securing or "Bagging and Tagging" digital evidence can be tricky. Each computer forensic examiner should be familiar with different methods of successfully acquiring it maintaining the integrity of the evidence. Starting with the foundations from law enforcement training in proper evidence handling procedures, you will learn firsthand the best methods for acquiring evidence in a case. You will utilize the Tableau T35es write blocker, part of your SIFT Essentials kit, to obtain evidence from a hard drive using the most popular tools utilized in the field. You will learn how to utilize toolkits to obtain memory, encrypted or unencrypted hard disk images, or protected files from a computer system that is running or powered off.

Overview

Focus: Moving quickly from evidence acquisition, you will begin your investigation using cutting-edge tools that the pros use. Host, server, and webmail forensics the investigator will learn how to recover and analyze the most popular form of communication.

The day will begin with the analysis of electronic evidence using commercial and freely available toolkits packaged into the Windows SIFT Workstation. You will learn how to recover deleted data from the evidence, perform string searches against it using a word list, and begin to piece together the events that shaped the case. Today's course is critical to anyone performing digital forensics to learn the most up-to-date techniques of acquiring and analyzing digital evidence.

Email Forensics: Investigations involving email occur every day. However, email examinations require the investigator to pull data locally, from an email server, or even recover web-based email fragments from temporary files left by a web browser. Email has become critical in a case and the investigator will learn the critical steps needed to investigate Outlook, Exchange, Webmail, and even Lotus Notes email cases.

This course is very hands-on. Each investigator will acquire a disk image and begin analysis on a case that will utilize the skills presented throughout the day. This course is necessary for anyone looking to put to practice the skills they are learning daily.

CPE/CMU Credits: 6

Topics

Forensic tools

Access Data's Forensic Tool Kit (FTK)

Guidance Software's EnCase

Freeware/Open source capabilities

Traditional tasks utilized using the forensic tools

Triage techniques

String/file searches

Automated forensics

Browsing disks

Recover deleted files

Automated recovery

String searches

Dirty word searches

Email forensics

How email works

Locations

Examination of email

Types of email formats

Microsoft Outlook/Outlook Express

Web based mail

Microsoft Exchange

Lotus Notes

Email analysis

Email searching and examination

Day 2 exercises

Recover deleted files

Search for files or emails containing specific words related to a case

Overview

The day continues with Windows Registry, the digital forensic investigator will learn how to discover critical user and system information from the Registry that is pertinent to any investigation. Each examiner will learn how to examine the Registry to obtain user profile data and system data. The course will also teach each forensic investigator how to show that a specific user performed key word searches, ran specific programs, opened and saved files, and list the most recent items that were used.

Finally, USB Device investigations are becoming more and more a key part of performing computer forensics. We will show you how to perform in-depth USB device examinations on Windows 7, Vista, and Windows XP machines. We will show you when the device was first plugged in, last plugged in, the vendor/make/model, and even tell you the unique device that was used.

Throughout the day, the investigator will utilize their skills in a real hands-on case, exploring evidence and analyzing evidence.

CPE/CMU Credits: 6

Topics

Registry Forensics in-depth

Registry basics

Hives, keys, and values

Registry last write time

MRU lists

Profile users and groups

Discover usernames and the SID mapped to them

Last login

Last failed login

Logon count

Password policy

Core system information

Identify current control set

System name and version

Timezone

Local IP Address info

Wireless/Wired/3G Networks

Network shares

Last shut down time

User forensic data

Evidence of program execution

Evidence of file download

Evidence of file and folder access (Shellbag)

XP and Win7 search history

Typed URLS

Recent documents

Open-> Save/Run dialog boxes

Application execution history (UserAssist)

USB device forensic examinations

Vendor/Make/Version

Unique serial number

Last drive letter

Volume name and serial number

The username that used the USB Device

Time of first use of USB device

Time of first use of USB device after last reboot

Time of last use of USB device

Tools utilized

Regripper

Access Data's Registry Viewer

YARU (Yet Another Registry Utility)

Day 3 exercises

Profile a computer system using evidence found in the registry.

Profile a user's activities using evidence found in the registry.

Track USB devices that were connected to the system via the registry and filesystem

Overview

Focus: Suspects unknowingly create hundreds of files that link back to their actions on a system. Learn how to examine key files such as link files, the windows prefetch, pagefile/system memory, and more. The latter part of the day will center on examining the Windows log files and the usefulness in both simple and complex cases.

Continuing from the previous day, the investigator will initially focus on key files found on the Windows operating system that contains evidence. We start with examining the pagefile, system memory, and unallocated space, all difficult to access locations that could offer the critical piece of your case. These files could be especially important to an investigation, providing key evidentiary links to pictures, printed office documents, or files that were saved to a removable device.

Windows Log File analysis has solved more cases than possibly any other type of analysis. Understanding the locations and content of these files is crucial to the success of any type of investigator. Many overlook these files as they do not have adequate knowledge or tools to get the job done. The last part of the day will arm each investigator with core knowledge and capability that will enable them to maintain this crucial skill for many years to come.

CPE/CMU Credits: 6

Topics

Memory, Pagefile, and unallocated space analysis

Artifact recovery and examination

Facebook live, MSN Messenger, Yahoo, AIM, GoogleTalk chat

IE8/IE9 InPrivate/Recovery URLs

Yahoo, Hotmail, Gmail Webmail email

Forensicating files containing critical digital forensic evidence

Office Documents (2000-2007, doc, and .docx)

Adobe files

Exif data including GPS coordinates

Link/shortcut files (.lnk)

Windows 7 jump lists

XP Thumbs.db and Vista / Win7 Thumbscache files

Internet chat programs (Skype/AIM/MSN)

Windows Prefetch analysis (XP/Vista/Win7)

Windows Recycle Bin analysis (XP/Vista/Win7)

Windows event log digital forensic analysis

Which Windows events matter to a digital forensic investigator

EVT log files

EVTX log files

Day 4 exercises

Recycle Bin analysis

Shortcut (LNK) file analysis

Prefetch folder analysis

Find and examine various logfiles from hosts and servers to determine critical case details

FOR408.5: Core Windows Forensics Part IV - Web Browser Forensics

Overview

Focus: Internet Explorer and Firefox Browser Digital Forensics. Learn how to examine exactly what an individual did while surfing via their web-browser. The results will give you pause the next time you use the web.

With the increasing use of the web and the shift toward cloud computing using web-based applications, it is essential that browser forensic analysis is key to the investigator's skills. The investigator will explore comprehensive web browser evidence created during the use of Internet Explorer and Firefox. The analyst will learn how to examine cookies, history, and Internet cache files of the suspect's system. We will show you where you can examine these files and the common mistakes amateur investigators make when looking at browser artifacts.

Throughout the day, the investigator will utilize their skills in real hands-on cases, exploring evidence created by Firefox and Internet Explorer and Windows OS artifacts.

CPE/CMU Credits: 6

Topics

Browser forensics

History

Cache

Searches

Downloads

Understanding of browser timestamps

Internet Explorer 6, 7, 8, and 9

IE Key forensic file locations

History Index.dat (master, daily, weekly) timestamps

Cache Index.dat timestamps

InPrivate browsing

IE8/IE9 recovery folder analysis

Firefox 2-5

FF2 and FF3-5 key forensic file locations

Mork format and .sqlite files

Download history

Cache examinations

Typed URLs

FF3+ recovery data analysis

Private browsing

Session Recovery

Examination of browser artifacts

Flash cookie files

DOM objects

Super cookies

Tools used

MANDIANT Inc.'s Web Historian

Access Data's FTK

FoxAnalysis

Day 5 exercises

Track a suspect's activity in browser history and cache files

Examine which files a suspect downloaded

Determine URLs a suspect type, click on, bookmark, or merely pop-up while they were browsing

FOR408.6: Digital Forensic Challenge and Mock Trial

Overview

Focus: Windows Vista/7 Based Digital Forensic Challenge. There has been a murder-suicide and you are the investigator assigned to process the hard drive. This day is a capstone for every artifact discussed in the class. You will use this day to solidify your skills that you have learned over the past week.

Nothing will prepare you more than a full hands-on challenge utilizing the skills and knowledge presented throughout the week. In the morning, you will have the option of working in teams on a real forensic case in which evidence will be provided to you to analyze. The case will step you through proper acquisition, analysis, and reporting in preparation for a possible trial. Every team will work on the case for the majority of the day with the objective of discovering critical pieces of evidence to present during the trial.

The case presented is a complex murder case based that will engage the individual to examine one of the most recent versions of the Windows Operating System released. The case took 3 weeks to create following a script that lays out the key parts of the case in correct time sequence to make for the most realistic training opportunity available. The case will utilize skills from each of the previous days in order to solve the case.

The day will conclude with a mock trial in which presentations of the collected evidence will occur. The team with the best in-class presentation and short write-up will win the challenge and the case.

Additional Information

Laptop Required

A properly configured computer system is required for each student participating in this course. Before coming to class, download the forensic installation document that will describe the steps in detail to follow to complete the installation. If you do not carefully read and follow these instructions exactly, you are guaranteed to leave the course unsatisfied since you will not be able to accomplish many of the in-class exercises.

You will use VMware with preconfigured virtual forensic workstation built in a Windows 7 Home Premium environment that will enable you to perform hands-on analysis during class. You must download and install VMware Workstation 7, VMware Fusion 4.0, or VMware Player 4.0 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download.

MANDATORY LICENSE REQUIREMENTS:

Very Important: Student must bring a Retail, OEM, or MSDN Microsoft Windows 7 Home Premium License Key with them to class at the beginning of the first day.

Do not bring a license key that is already in use on another system as it will likely not work.

You can purchase licenses from http://www.microsoftstore.com

The key will look like XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Corporate, Site, Volume, and Group Licenses are not acceptable as they will fail the Windows Genuine Advantage Test.

Write down and bring with you a MS Windows 7 Home Premium License Key (XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)

Bring the proper laptop hardware and software configuration

Install VMware Workstation, Player, or Fusion

Bring the proper mandatory additional items

FOR408 Laptop Setup F.A.Q. (Frequently Asked Questions)

Can I use Win7 Professional or Ultimate for the class? No, only Win7 Home Premium will work.

Where can I purchase the license online without having to head to the store? Will any retail version of Win7 Home Premium work? You can also purchase or bring licenses from Microsoft Store, MSDN, or MS Tech Net. Overall, any retail version of Win7 Home Premium will work.

My company already has Win7 Professional Site license, can I use that license? Unfortunately, even though your organization might have a site license, we would still need you to bring a separate retail license. Retail licenses and Site/Enterprise licenses are incompatible.

Why don't you include the Win7 Home Premium license in the class even if it increased the price of the course? When we have asked previous classes, many students had a license already and did not want to spend money on another copy. It was overwhelming in favor that each student should bring his or her own version as a result. We are looking at ways in the future to have an optional purchase of the license. But in the meantime, you can purchase the Win7 Home Premium online at the Microsoft online store or at MS Tech Net

My company refuses to pay for Win7 Home Premium license because we have a site license, what options do I have? With a Site/Enterprise license each organization gets access to MSDN. I guarantee the Win7 Home Premium keys are probably not in use. I recommend calling your IT Support and asking to bring one of the MSDN Win7 Home Premium keys with you.

I have a workstation already installed with Win7 Home Premium; can I use the license key with two computers? No, it will not work.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

Incident Response Team Members who are new to responding to security incidents and need to utilize computer forensics to help solve their cases

Law enforcement officers, federal agents, or detectives who desire to become a subject matter expert on computer forensics for Windows based operating systems

Media Exploitation Analysts who need to master Tactical Exploitation and Document and Media Exploitation (DOMEX) operations on systems used by an individual. They will be able to specifically determine how the individual used their system, who they communicated with, and files they have downloaded, edited, or deleted.

Author Statement

After 25 years in law enforcement, when I think of what makes a great digital forensic analyst, three things immediately rise to the top of my list. Superior technical skill, sound investigative methodology, and the ability to overcome obstacles. SANS FOR408, Windows In-Depth was designed around imparting these critical skills to the students. Unlike many other forensics training courses that focus on teaching a single tool, FOR408 provides training on many tools. While there are some really exceptional tools available, we feel every forensicator needs a variety of tools in their arsenal so they can pick and choose the best tool for each task. But we also understand that a great forensics analyst is not great because of the tool(s) they use; they are great because they artfully apply the right investigative methodology to each analysis. A carpenter can be a master with all his tools and still not know how to build a house. FOR408 is designed to teach and allow each student to apply digital forensic methodologies for a variety of case types and situations, allowing them to apply in the real world the right methodology to achieve the best outcome. Finally, this course is designed to teach and demonstrate problem-solving skills necessary to be a truly successful forensicator. Almost immediately after starting your forensic career, you learn each forensic analysis presents its own unique challenges. A technique that worked flawlessly in previous exams may not work in the next. A good forensicator must be able to overcome obstacles through advanced trouble shooting and problem solving. FOR408 gives students the foundation that will allow them to solve future problems, overcome obstacles and become great forensicators. No matter if you are new to the forensic community or have been doing forensics for years, FOR408 is a must have course. - Ovie Carroll

SANS COMPUTER FORENSICS GRADUATE THWARTS BANK HEIST. Headlines similar to these are now a reality as former students have emailed me regularly about how they were able to use their digital forensic skills in very real situations. Graduates of Computer Forensics Windows In-Depth are the front line troops deployed when you need accurate digital forensic and media exploitation analysis. From analyzing terrorist laptops to investigating insider intellectual property theft and fraud, SANS digital forensic graduates are battling and winning the war on crime and terror. Graduates have directly contributed to solving some of the toughest cases out there because they learn properly how to conduct analysis and run investigations properly. Knowing that this course places the correct methodology and knowledge in the hands of responders who thwart the plans of criminals or foreign attacks brings me great comfort. Graduates are doing it. Daily. I am proud that the Computer Forensics Investigations-Windows In-Depth course at SANS helped prepare them to fight and solve crime. - Rob Lee

Computer forensics has never been more in demand than it is today. Zettabytes of data are created yearly, and forensic examiners will increasingly be called in to separate the wheat from the chaff. For better or worse, digital artifacts are recorded for almost every action, and the bar has been raised for those investigators working to repel computer intrusions, stop intellectual property theft, and put the bad guys in jail. We wrote this course as the forensics training we wish would have been available early in our careers. Keeping up with the cutting edge of forensics is daunting, and with frequent updates I am confident this course provides the most up to date training available -- whether you are just starting out or are looking to add to your forensic arsenal. - Chad Tilbury